Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

HTML Injection in uptime-kuma Status page #4774

Closed
muhammadahmad62 opened this issue May 19, 2024 · 3 comments
Closed

HTML Injection in uptime-kuma Status page #4774

muhammadahmad62 opened this issue May 19, 2024 · 3 comments
Labels

Comments

@muhammadahmad62
Copy link

DO NOT PROVIDE ANY DETAILS HERE. Please privately report to https://github.com/louislam/uptime-kuma/security/advisories/new.

Why need this issue? It is because GitHub Advisory do not send a notification to @louislam, it is a workaround to do so.

Your GitHub Advisory URL:
https://github.com/louislam/uptime-kuma/security/advisories/GHSA-ffvm-p92q-25c3

@louislam
Copy link
Owner

It is a feature that users can add html code. Also it can be edited after logged in only. No unauthorized attacker can do this.

The implementation here:

incidentHTML() {
if (this.incident.content != null) {
return DOMPurify.sanitize(marked(this.incident.content));
} else {
return "";
}
},
descriptionHTML() {
if (this.config.description != null) {
return DOMPurify.sanitize(marked(this.config.description));
} else {
return "";
}
},
footerHTML() {
if (this.config.footerText != null) {
return DOMPurify.sanitize(marked(this.config.footerText));
} else {
return "";
}
},

@CommanderStorm
Copy link
Collaborator

It is also sanitised.
If you have found a sanitisation escape please report this to https://github.com/cure53/DOMPurify/security instead.

Given that no such advisory has been published by the cure54..

@louislam
Copy link
Owner

@muhammadahmad62 said:

Hi @louislam,

Thank you for your response. I understand that Markdown syntax is supported here, but HTML code, especially tags like <form>, should not be allowed. These can be exploited for Form Hijacking Vulnerabilities to harvest credentials from users. So the input should be further sanitized. Given this, I kindly request that you reconsider the assessment of this report.

Thank you for your attention to this matter.

Best regards,
@muhammadahmad62

But my point is everything can be done by admin only. I don't think admins would hack their own Uptime Kuma.

Also for examples, applications like Wordpress, GitHub (Code editor) also allow users to edit html code and deploy to production, are they exploited for Form Hijacking Vulnerabilities too?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants